Data transmission method and device

ABSTRACT

The invention relates to method for transmitting data in a redundant automation system ( 2 ), comprising a plurality of data transmission units ( 6 ) and a plurality of data processing units ( 4 ). The aim of the invention is to improve said method in such a way that data can be transmitted in an especially efficient manner with the hardware resources available. To this end, a data flow characteristic of the data transmission is continuously monitored on the respective data transmission units ( 6 ) and, depending on the data flow, is switched between the various operating modes in such a manner that an operating mode is adjusted when a synchronized data flow is detected on at least two data transmission units ( 6 ), said operating mode having a higher availability vis-à-vis the operating mode with a defective or one-way data flow on one of the data transmission units ( 6 ).

[0001] The invention relates to a method and a device for transmitting data, for example in a redundant computer system, in particular in a high-availability system.

[0002] Usually, redundant concepts of automation systems or computer systems are distinguished according to media redundancy or system redundancy in terms of their availability and apportionment of the redundant nodes.

[0003] Media redundancy is understood as the redundant implementation of transmission units in order to increase the availability of the transmission units between two communicating data processing units. Media redundancy, in which in each case one redundant node is provided for the medium and one for the transmitting station in the manner of comparatively tight redundant nodes, is used in particular for reliability-related automation systems or control systems of equipment in which a failure of the data communication can lead to critical situations in the equipment. Media-redundant systems are insensitive to effects in systems which are connected to one another. A disadvantage here is that it is not possible to perform diagnostics with respect to a fault on the individual systems which are connected to one another, or this is possible only to a very limited degree. Furthermore, failure leads to a considerable reduction in the availability of the system and considerable increase in the reaction times in the system.

[0004] In contrast, in the case of system redundancy, in which only a single redundant node can be provided for an entire system in a manner of comparatively wide redundant nodes, the availability of the entire computer system can be increased by making in particular the reliability-related data processing units and other components, for example decentralized controllers, printers, redundant. Usually, the central control and safety-related input and output modules, in particular, are made redundant here. By means of such redundancy which relates largely to the entire system, particularly high availability is provided, it being possible to provide targeted diagnostics for individual faults.

[0005] For media-redundant systems, usually so-called control gear is provided which connect two-channel or multiply redundant data transmission from a single-channel control or data processing unit. Switching over or combining media redundancy and system redundancy is currently not possible.

[0006] The invention is therefore based on the object of specifying a method and a device for transmitting data between data processing units which communicate with one another, in a networked system in which the highest possible degree of utilization of the given communications resources is made possible.

[0007] The first object is achieved according to the invention by means of a method for transmitting data in a redundant automation system, comprising a number of data transmission units and a number of data processing units, in which method a data flow which characterizes the data transmission is continuously monitored on the respective data transmission units and, as a function of the data flow, switching over is performed between different operating modes in such a way that, when a synchronized data flow is present on at least two data transmission units, an operating mode is set which has a higher availability in comparison with an operating mode when there is a faulty or one-way data flow on one of the data transmission units.

[0008] A combination or switch-over between various availability levels of the redundant data transmission related data is transmitted is defined as the priority channel. In contrast, the data transmission unit units, and thus of the redundant automation system, is provided by means of such a setting of the operating mode which takes into account the respective data flow on the particular data transmission units as well as the redundancies of the data transmission units which are available by means of hardware.

[0009] The subsequent data flow is expediently implemented as a function of the operating mode which is set via one of the data transmission unit or via a plurality of data transmission units. This permits a transmission of data which is both particularly fault-free and has high availability. In a high-availability data transmission—i.e. redundant data transmission largely simultaneously via a plurality of data transmission units—the particular data transmission units are synchronized. The operating mode which characterizes the high-availability data transmission is referred to in what follows as media-redundant operating mode.

[0010] In order to avoid feedback on data processing units which are subject to faults, a predefined operating mode is preferably set as a function of the state of one of the data processing units. This permits non-interacting exchange of data via the data transmission unit.

[0011] For a particularly fault-free exchange of data, one of the data transmission units is defined and set as a priority channel and a further data transmission unit is defined and set as a backup channel as a function of the operating mode which is set. For example, when there is an unequal reception of data via a plurality of data transmission units, the data transmission unit with the fault-free data flow is defined as the priority channel, and the data transmission unit with a data flow which is subject to fault is defined as the backup channel. Alternatively, the data transmission unit by means of which process-related and/or security-operating mode into another operating mode utilizing the existing data transmission by means of which diagnostics-related and/or management-related data is transmitted is defined as the backup channel. This operating mode in which the data transmission units are configured for different data flows is referred to in what follows as system-redundant operating mode.

[0012] For a data transmission which ensures a high reliability standard and in which the same data is exchanged in parallel via a plurality of data transmission units, the operating mode with high availability, in which the data flow via all the respective data transmission units is continuously monitored, is expediently set. This ensures that a failure of an individual data transmission channel is detected as quickly as possible. Such a line diagnostics function permits preventative detection and maintenance of the channels. In particular, in the case of reception which is subject to faults or one-way or single-channel reception, it is possible to switch over directly to the system-redundant operating mode.

[0013] The second object is achieved according to the invention by means of a device for transmitting data in a redundant automation system, comprising a number of data processing units which are connected to one another via a number of data transmission units, at least one data processing unit comprising a redundancy module for monitoring a data flow which characterizes the data transmission, one of a plurality of operating modes being capable of being set as a function of the data flow by means of the redundancy module, in such a way that when a synchronized data flow is present on at least two data transmission units, it is possible to set an operating mode which has a higher availability in comparison with an operating mode when there is a faulty or one-way data flow on one of the data transmission units. The redundancy module is used here for automatically controlling switching over from one modes in terms of hardware and/or software. That is to say a plurality of data transmission units are provided, and, if a fault-free data transmission is identified by means of the diagnostics, the system is switched over by means of the redundancy module into an operating mode which has the highest possible availability—media-redundant operating mode—in which the same data is transmitted in parallel, and approximately simultaneously and thus redundantly, via a plurality of data transmission units. For this purpose, the data transmission units are synchronized.

[0014] The advantages achieved with the invention are in particular the fact that various operating modes which are graduated in terms of availability or redundancy can be set automatically as a function of the quality of the data flow on the data transmission units and as a function of the number, the type and the function of the data transmission units and/or the data processing units. Optimum adaptation is assured here in the superordinate system irrespective of the quality of the data flow. Rapid diagnostics and data transmission which is optimized in terms of the current hardware resources and/or the current communications resources are thus made possible by virtue of the continuous monitoring.

[0015] Exemplary embodiments of the invention are explained in more detail by reference to a drawing.

[0016] The FIGURE shows a device for transmitting data in a redundant automation system 2. The automation system 2 is, for example, a stored program controller or a networked computer system. The automation system 2 comprises a number of data processing units 4 which are connected to one another via a number of data transmission units 6. Depending on the type and embodiment of the automation system 2, the data processing units 4 and/or the data transmission units 6 are embodied so as to be simple, simply redundant and/or multiply redundant. The FIGURE illustrates one of the two data transmission units 4 with simple redundancy. The other data processing unit 4 (the lower one in the FIGURE) is of simple design. The two data processing units 4 are connected to one another via two data transmission unit 6 which are of redundant design.

[0017] The data processing units 4 each have a redundancy module 8 for monitoring a data flow which characterizes the data transmission. One of a plurality of operating modes is set by means of the redundancy module 8 as a function of the determined data flow in such a way that when a synchronized data flow is present on the two data transmission units 6, it is possible to set an operating mode which has a higher availability in comparison with an operating mode with a fault-free data flow on one of the data transmission units 6. This highly available operating mode with synchronized data flow is also referred to as media-redundant operating mode.

[0018] In the basic setting of the reception-end redundancy module 8, the latter waits for data from both transmission units 6. Depending on the type of data flow, a respective operating mode is set. In the event of different data being received by means of the two data transmission units 6 or faulty data being received from one of the two data transmission units 6, one of the data transmission units 6 is set as the priority channel. This operating mode is referred to as system-redundant operating mode.

[0019] Here, the priority channel is selected by means of the redundancy module 8 by reference to the preferred data transmission unit 6 which is predefined for the respective data processing unit 4. The other data processing unit 6 is defined as the backup channel.

[0020] After the data has been received, by reference to a fault statistic for the respective data transmission unit 6, the redundancy module 8 is used to define and set as the priority channel that data transmission unit 6 which had the fewest faults during the data transmission in the past. The data transmission unit 6 via which the data flow is being executed is indicated to the respective data processing unit 4. Here, the application-specific and/or function-specific data traffic is carried out in the system-redundant operating mode by means of the data transmission unit 6 which is defined as the priority channel. The transmission unit 6 which is set as the backup channel is used only for the information-related and/or management-related data traffic.

[0021] In the event of the data being the same on both data transmission units 6, the two data transmission units 6 are synchronized when the data is received in the basic setting of the redundancy module 8. The synchronization corresponds here approximately to a time range (=delay) which is the maximum permitted between the two data transmission units 6 for the redundant transmission of the same data. If this is not implemented within the time range (also referred to as synchronization window), one data transmission unit 6 is defined and set as the priority channel by means of the redundancy module 8 by reference to the quality and function of the respective data transmission unit 6.

[0022] When synchronization has been successful, the system is switched over into the media-redundant operating mode by means of the redundancy module 8. The subsequent data flow via the data transmission unit 6 is continuously monitored in the media-redundant operating mode in that the data items received from the two data transmission units 6 are compared with one another. Furthermore, the individual data is checked for faults and only fault-free data or telegrams are processed by means of the respective data processing unit 4. Given identity between the data items, the data transmission units 6 are switched to the active setting and the media-redundant operating mode is also switched too. Given non-identity between the data items without faults, i.e. if a number of n asymmetrical data items or telegrams are received within a time range or interval, the media-redundant operating mode is automatically switched off. Depending on the number of available data transmission units 6, the system is switched over into an operating mode which has a lower availability in comparison with the media-redundant operating mode, for example is switched into the system-redundant operating mode with a data transmission via a single priority channel or a plurality of priority channels.

[0023] Depending on the type and embodiment of the automation system 2, a statistics counter for sensing the number of faulty telegrams or faulty data transmissions is provided for each data transmission unit 6 by means of the redundancy module 8. Given automation systems 2 with particularly high reliability standards, for example in controllers for power stations or chemical systems, each data transmission unit 6 is sampled 8 times and correspondingly evaluated and diagnosed in order to increase the reliability. By reference to the faults statistic, it is also easily possible to define one of the data transmission units 6 as the priority channel for the transmission of data. Faulty data flows can be detected in good time by means of an additional diagnostic function using the redundancy module 6 so that preventative maintenance is made possible. 

1. A method for transmitting data in a redundant automation system (2), comprising a number of data transmission units (6) and a number of data processing units (4), in which method a data flow which characterizes the data transmission is continuously monitored on the respective data transmission units (6) and, as a function of the data flow, switching over is performed between different operating modes in such a way that, when a synchronized data flow is present on at least two data transmission units (6), an operating mode is set which has a higher availability in comparison with an operating mode when there is a faulty or one-way data flow on one of the data transmission units (6).
 2. The method as claimed in claim 1, in which the subsequent data flow is implemented via one of the data transmission units (6) or via a plurality of data transmission units (6) as a function of the operating mode which is set.
 3. The method as claimed in claim 1 or 2, in which a predefined operating mode is set as a function of the state of one of the data processing units (4).
 4. The method as claimed in one of claims 1 to 3, in which one of the data transmission units (6) is defined as a priority channel and a further data transmission unit (6) is defined as a backup channel, as a function of the operating mode which is set.
 5. The method as claimed in one of claims 1 to 4, in which the data flow via all the respective data transmission units (6) is continuously monitored in the operating mode with high availability.
 6. A device (1) for transmitting data in a redundant automation system (2), comprising a number of data processing units (4) which are connected to one another via a number of data transmission units (6), at least one data processing unit (4) comprising a redundancy module (8) for monitoring a data flow which characterizes the data transmission, one of a plurality of operating modes being capable of being set as a function of the data flow by means of the redundancy module, in such a way that when a synchronized data flow is present on at least two data transmission units (6), it is possible to set an operating mode which has a higher availability in comparison with an operating mode when there is a faulty or one-way data flow on one of the data transmission units (6). 